Issues Fixed in DC/OS 1.10.11

For information about other issues fixed or known issues for the most recent release of DC/OS 1.10 prior to this security fix, see the release notes 1.10.10.

Mesos

DCOS-48052 - An update to the containerizer launch binary prevents a malicious user from exploiting the init helper function used by container runtimes–including DockerD, containerD, and UCR. Without this change, a malicious user could gain access to a container’s root-level permissions and use those permissions to execute potentially malicious code on the host.

This issue has been reported by the RunC community (CVE-2019-5736) and affects the Docker Engine and Mesosphere Kubernetes Engine (MKE) container runtime components. The issue has also been reported by the Apache Mesos community for the Mesosphere Universal Container Runtime (UCR). All existing versions of DC/OS, Mesosphere Kuberentes Engine, and Docker Engine are affected by this vulnerability. However, this vulnerability does not affect DC/OS clusters or UCR containers if the cluster runs using the strict security mode and uses the default nobody user account to launch UCR containers.

You can use Edge-LB load balancer to balance Mesos tasks. The Edge-LB load balancer does not support strict security mode. View the documentation.Enterprise

Security Enterprise

Custom CA certificate support.
Installation time configuration options have been added that allow you to configure DC/OS Enterprise to use a custom CA certificate and corresponding private key, which DC/OS then uses for issuing all component certificates. The custom CA certificate can be an intermediate CA certificate so that that all certificates used within the DC/OS cluster derive from your organization’s X.509 certification hierarchy.

Enhanced secrets management with file-based secrets.
You can now make a secret available to your service in the sandbox of the task. View the documentation.

Vastly improved IAM scalability and performance characteristics.
The new system removes hard limits on the number of users, groups, and permissions that can be stored, and shows stable read and write performance as the dataset grows.

Docker pullConfig parameter.
Use this parameter in your service definition to authenticate to a private Docker registry. View the documentation.

Enterprise CLI permissions management commands.
It is now possible to manage permissions to protect resources using the DC/OS Enterprise CLI.

Kubernetes on DC/OS

Kubernetes on DC/OS is beta with DC/OS 1.10. You can install the package from the DC/OS Service Catalog or by using the DC/OS Kubernetes quickstart.

Updated DC/OS Data Services

Ability to deploy to CNI-Based Virtual Networks.

Rolling Configuration Update and Upgrades support via the CLI. Enterprise

Ability to deploy Data Services into Folders to enable multi team deployments. Enterprise

The following updated data services packages are compatible with DC/OS 1.10.

For more information, see the documentation or release notes for the specific data services package in which you are interested.

Platform

Node and cluster health checks.
Write your own custom health checks or use the predefined checks to access and use information about your cluster, including available ports, Mesos agent status, and IP detect script validation. View the documentation.

Universal Container Runtime (UCR).
Adds port mapping support for containers running on the CNI network. Port mapping support allows UCR to have a default bridge network, similar to Docker’s default bridge network. This gives UCR feature parity with Docker Engine enabling use of Mesos Runtime as the default container runtime.

Scale and performance limits.

CLI

DC/OS CLI 0.4.x has a single configuration file, stored by default in ~/.dcos/dcos.toml. DC/OS CLI 0.5.x has a configuration file for each connected cluster. Each cluster configuration file is stored by default in ~/.dcos/clusters/<cluster_id>/dcos.toml.

DC/OS CLI 0.5.x introduces the dcos cluster setup command to configure a connection to a cluster and log into the cluster.

Updating to the DC/OS CLI 0.5.x and running any CLI command triggers conversion from the old to the new configuration structure.

If you attempt to update the cluster configuration using a dcos config set command after using dcos cluster setup or converting to DC/OS CLI 0.5.x, the command prints a warning message saying the command is deprecated and that cluster configuration state might now be corrupted.

If you have the DCOS_CONFIG environment variable configured:

After conversion to the new configuration structure, DCOS_CONFIG is no longer honored.

Before you call dcos cluster setup, you can change the configuration pointed to by DCOS_CONFIG using dcos config set. This command prints a warning message saying the command is deprecated and recommends using dcos cluster setup.

CLI modules are cluster-specific and stored in ~/.dcos/clusters/<cluster_id>/subcommands. Therefore you must install a CLI module for each cluster. For example, if you connect to cluster 1, and install the Spark module, then connect to cluster 2 which is also running Spark, Spark CLI commands are not available until you install the module for that cluster.

GUI

The GUI sidebar tabs have been updated to offer a more intuitive experience.

The “Deployments” subpage under the “Services” tab has been moved to a toggle-able modal in the “Services” page.

The “Security” tab has been removed. The “Secrets” tab that used to be under “Security” is now a top-level tab. Enterprise

The “Universe” tab has been renamed to “Catalog” and the “Installed” subpage has been removed.

The “System Overview” tab has been renamed to “Overview”.

Breaking Changes

Marathon Networking API Changes in 1.5.

The networking section of the Marathon API has changed significantly in version 1.5. Marathon can still accept requests using the 1.4 version of the API, but it will always reply with the 1.5 version of the app definition. This will break tools that consume networking-related fields of the service definition. View the documentation.

TLS 1.0 is no longer enabled by default in Admin Router. Enterprise

TLS 1.0 no longer meets common minimum security requirements. To use TLS 1.0, set adminrouter_tls_1_0_enabled to true in your config.yaml at install time. The default is false.

Moved file location for the DC/OS CA bundle in the sandbox of Mesos tasks from $MESOS_SANDBOX/.ssl/ca.crt to $MESOS_SANDBOX/.ssl/ca-bundle.crt and declared the new file path to be stable.

DC/OS 1.10 upgrades REX-Ray from v0.3.3 to v0.9.0 and the REX-Ray configuration format has changed. If you have specified custom REX-Ray configuration in the rexray_config parameter of your config.yaml file, either update the configuration to the new format or remove rexray_config and set the parameter to rexray_config_preset: aws, which configures the rexray_config parameter to the default REX-Ray configuration bundled with DC/OS. This option has the benefit of automatically upgrading your cluster’s REX-Ray configuration when you upgrade to a newer version of DC/OS.

NOTE: The `rexray_config_preset: aws` option is only relevant to DC/OS clusters running on AWS.

New flow to change the dcos_url and log in.

The new command to set up your cluster URL is dcos cluster setup <dcos_url>. For details, see CLI.

Hard CFS CPU limits enabled by default.

DC/OS 1.10 enforces hard CPU limits with CFS isolation for both the Docker and Universal Container Runtimes. This will give more predictable performance across all tasks but might lead to a slowdown for tasks (and thereby also deployments) who have previously have consumed more CPU cycles than allocated. See MESOS-6134 for more details.